Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing Social Security Numbers

The HR department at the company that I am currently working for has requested that I provide a system for storing employee social security numbers in our company database. The reason for this is to streamline payroll completion, as we use in-house software for employee timesheets but have to integrate with third-party software for our actual payroll system. This is a relatively small company (20-30 employees), and we'd only be storing current employees' SSN's (so a breach would only have limited impact), but I would still like to bank on security.

I would like to know if there is any convention out there for storing information as sensitive as social security numbers. I'm not very skilled in encryption, and I understand that there are several encryption techniques that I could resort to, but I was wondering if there was one way in particular that was best suited for this type of situation. Would AES be my best bet?

As for current software, we're running MySQL and our web interface is written in PHP and running on an IIS server.

like image 438
cmptrgeekken Avatar asked Oct 31 '08 20:10

cmptrgeekken


People also ask

What are two ways to keep a Social Security number safe?

Other ways to protect your information include not routinely carrying your card or other documents that display your number with you. Also, be careful about sharing your number, even when you're asked for it. You should ask why your number is needed, how it'll be used, and what will happen if you refuse.

Can I store SSN in Google Drive?

Most sensitive information can be stored in Google Drive with the exception of ultra-sensitive (Purple) data such as Social Security numbers and payment card information.

Should I remember my Social Security number?

To avoid a serious case of identity theft, keep your card and your number safe. Do you know your Social Security number? Chances are you have it memorized. If you know your number, you may never need your card again.

Do Social Security numbers need to be encrypted?

Further, securing SSNs is not limited to electronic methods. Appropriate measures must be taken to ensure the confidentiality of fax and paper transmissions containing SSNs. All electronic transactions and transmissions – including emails or email attachments – containing SSNs must be encrypted.


1 Answers

The best method I've seen for storing sensitive data is public key encryption, and storing the private key somewhere other than the database (say, through an application only available to the head of HR and the CEO):

Then we started storing people’s credit cards…but out on the website we’d immediately encrypt them with a public key. ...

On the backend, we had the private key, and with the right pass-phrase we could temporarily decrypt [the private key], then use [the private key] to decrypt a credit card, and charge the card for a DVD.

like image 190
Max Lybbert Avatar answered Sep 24 '22 03:09

Max Lybbert